Skip to content

Answers to your frequently asked questions

Everything you need to know about working with Devo.

What is Devo?

Devo is a cloud-based multitenant centralized log management solution designed for massive scale and performance requirements of the data age. Devo collects machine data generated by traditional machine data sources as well as business applications all in real-time to facilitate sophisticated analytics using a single pane of glass. Devo enables organizations to gain insights into their applications, infrastructure, and business systems using built-in applications, real-time dashboards, and alerts. It also provides security and IT professionals, and data scientists the tools they need to extract valuable and actionable intelligence from petabytes of data.

Is Devo only available as a cloud solution or can it be deployed on-site?

Devo is a cloud-first solution. Devo is deployed as a fully managed SaaS offering in AWS and GCP and is available in multiple regions. The SaaS solution offers an excellent value in terms of high scalability, low operating costs, and limited data management requirements. Because Devo is a fully multitenant solution, data can reside in multiple regions with Devo still offering a global view of all data.

Is there a limit to the number of users that can use Devo?

No, there is no limit to the number of users that can use Devo. Devo is not licensed by the number of users.

What browsers does Devo support?

We recommend using the latest version of Google Chrome or Mozilla Firefox.

How long does it take for users to become proficient with Devo?

From the outset, Devo was designed to be easy-to-use and intuitive while also enabling complex and sophisticated tools for data analysis.

It takes just a few sessions for most users to master the basics of navigating the web application, selecting data tables, and building queries. That said, Devo offers free online training courses that prepare users with what they need to know to get results with Devo right away. Devo also offers custom on-site training as part of our professional services. Learn more about Devo training services.

What cloud services can Devo work with?

Devo can collect and derive analytics from any cloud provider’s operational event data.

When does Devo parse log events, and how?

Devo is not like other solutions that parse and index events as soon as they are delivered to the platform. As data enters the Devo Platform it is classified and stored using its associated Devo tag which corresponds to the specific type of data source. Events are stored exactly as they were received by Devo, unchanged. Parsers, which are associated with event tags, are only applied at query time, allowing the platform to adapt to any change in data format without requiring changes to existing data or queries.

If Devo doesn’t use a single index to find data, does data retrieval take longer?

No, actually it’s much faster. Instead of one enormous index, Devo asynchronously generates many small and lightweight indexes.

Let’s say that firewall events make up about 10% of your data repository. When you open a search that calls a firewall table (i.e., a table with a firewall tag like, only 10% of the data in the repository needs to be searched to locate and retrieve the associated events.

Devo’s agile and intelligent system for indexing data speeds data ingestion and means that your data is stored hot and stays hot for as long as you need it to.

Is there a Devo API?

Yes. In fact, we offer two APIs.

Our REST API enables programmatic access to data stored in Devo, lets you run queries remotely, and either return the results to the requestor or to another repository (like S3, Hadoop, or Kafka). You can also manage jobs — these are the query requests that are actively querying and redirecting the results to another repository.

The Provisioning API is available to carry out actions related to managing security credentials, users, and some other domain-related attributes. Particularly useful for very large implementations or for resellers.

What kind of events can I send to Devo?

Any kind of events! Devo can ingest any kind of data that can be stored in text format, this includes application logging events, JSON formatted data, records from relational databases, social media activity, and much more.

How are events sent to Devo?

This depends on the event source, its location, and source capabilities. What’s important to understand is that both the Devo Relay and Devo itself are designed to receive syslog events.

If an event source lets you assign the correct Devo tag in the source system and is able to establish a secure channel using authenticated TLS over TCP, it can be configured to send events directly to Devo.

This is the case with both Windows and Linux machines as well as many commercial software systems.

However, many sources are unable to meet both of these requirements. In these cases, events can be sent untagged to a Devo Relay that resides within their organization’s network. The relay can be configured with a rule that will apply the correct Devo tag, then forward the event to Devo over a secure, encrypted channel.

Data can also be sent to Devo using netflow, an HTTP endpoint, or by simple file upload using the web application. Learn more.

How much bandwidth is needed to send events to Devo?

That depends on how much data your events contain and how many events you are sending. In all cases, the Devo Relay compresses data before forwarding it to Devo in order to optimize bandwidth efficiency.

What is a Devo tag and why is it important?

  • A Devo tag is a special descriptor that needs to be attached to every event sent to the Devo Cloud. The tag tells Devo a couple of important things: It identifies the specific event source.
  • It dictates to Devo where the event has to be saved in the Devo repository.

Each Devo tag is linked in the platform to a parser that is designed specifically to parse the events with that tag. So when a user selects a data source in the Finder, the associated parser is called to parse the events for display in the search window. The parser determines the column names and data types in the table.

So, you can see that the tag is central to correctly saving, accessing, and parsing the events collected in Devo. Read more about tags or check out the complete list of already supported technologies and their tags.

Is Devo really real time?

The lightning-fast answer is yes. In most cases, the difference between the event timestamp (when the event occurred in the source system) and the Devo eventdate (when the event was received by Devo) is measured in milliseconds. And events are immediately available for queries. No waiting.

There are exceptions to this for systems that are specifically configured to send data at intervals. Such configurations are generally due to limitations of the source system, however, and the vast majority of data sources we’ve set up to send events to Devo are as close to real time as you could want.

What query language does Devo use?

Devo uses standard LINQ, which is based upon SQL. Those users comfortable with using query language can use query editors to create and edit their queries.

That said, it is not necessary for all users to master LINQ to use Devo effectively or to build complex, sophisticated queries. Devo was designed to make queries accessible to users of all skill levels. The user-friendly Devo search window displays data in table format and contains a number of interface tools that simplify filtering, data enrichment, grouping, and data aggregation operations. But behind it all is a LINQ query that you can view and edit at any time.

What kinds of aggregate functions can Devo calculate in queries?

Lots. The aggregate functions available range from the common (like count and average) to the specialized (like unbiased variance and percentiles). Check out the complete list of aggregate functions.

What sort of data enrichment is possible in Devo?

Data enrichment is performed on the fly by selecting the field to be enriched and specifying the source or operation with which to enrich the data. Devo comes prepared with dozens of operations you can use to enrich your query data. The product documentation contains a complete list of the standard operations and describes how they are used.

In addition, you have a few other options for adding proprietary static and dynamic lookup data. You can:

  • Upload static lookup data in CSV files. For example, a file that associates an email address with information like job title, employee ID, and so on. More info.
  • Use queries to generate static or dynamic lookups that contain the set of values that appeared in selected fields over a given time period. More info.

Can I view and manage all of the queries being executed in my domain?

Users with the necessary permissions, such as admin users, can view a list of the queries currently active in the domain in Data Search – Query Management. Learn more.

I want to query data in Devo and forward it to another application, is that possible?

Yes. Our REST API gives you the possibility of remotely issuing a query to Devo, then forwarding the results to a different destination (asynchronous response). Currently, it’s possible to forward results to Amazon S3, HDFS, or Kafka using the POST/query parameter destination. Learn more.

Can I share queries between users in my accounts?

Yes, as long as the other users have permission to access the data table(s) that feed the query. You can simply copy the query’s LINQ expression and provide it to the other user by email.

We use Tableau for data visualization. Is there some way to integrate it with our Devo domain?

Yes. You can easily set up an OData feed so you can pull data from your query in Devo into another external tool like Tableau, Power BI, or Excel. It’s really easy and quick to do. Read about it here.

While you may continue to use your external visualization and analysis tools, Devo’s Activeboards give you built-in, easy-to-use functions for building a wide variety of charts, maps, and tables for visual, interactive reporting.

Where can I build charts based on my query data?

You can build a variety of charts and graphs when you are creating or editing Devo dashboards. However, you can also build charts on the fly from within the Search window when you’re working with your data. This makes it easy to test your query data and the possible visualizations before adding them to a dashboard.

How many dashboards can I build?

There is no limit to the number of dashboards that can be built.

Can I create custom dashboards?

Yes, as many as you need. Devo Activeboards can contain several types of charts including geographic maps, Voronoi diagrams, line charts, and many more. Simple controls let you use a single dashboard to view data for current or historic time periods.

Inputs are special controls that you can add to your Activeboards to enable interactivity with the widgets in your board. Learn more about Activeboards.

How do you secure inbound and outbound data connections?

We strongly recommend TLS over TCP with certificate authentication for channels sending data directly to Devo in a public cloud. Events can also be sent to Devo via a Devo relay installed within the customer’s secure network. The relay sends data to Devo using TLS encrypted with RSA-2048 and SHA256 and using X.509 certificates for authentication.

OAuth tokens are available to secure data sent over HTTP.

Devo provides several types of security credentials to authorize connections with your Devo domain including API key/secrets, X.509 certificates in several standard formats, and OAuth tokens. These are found in the Administration → Credentials area of the web application.

How secure is the web application?

Domain admins can enable up to three levels of authentication for user logins: basic authentication using email/password, multi-factor authentication, and/or SAML single sign-on using Google, Okta, or OneLogin.

Connections are encrypted by SSL certificate using the RSA public-key SHA-2 algorithm.

Do you have role-based access controls (RBAC)?

Yes, Devo uses application roles to control access to application features and resources like shared dashboards, vertical apps, and panels. Roles are cumulative meaning that one user can have multiple roles and their permissions will be the sum of the roles they possess. There are three default roles that cannot be changed:

  • Admin — Has access to all application resources.
  • Owner — Same as the admin but there is only one owner. By default, the owner is the user who created the domain but this role can be re-assigned.
  • No Privileges — Has very limited access to application features.

In addition to these, you can define as many custom roles as you need to control access to the resources in your domain. Learn more.

What compliance frameworks are your controls based upon?

Devo maps across NIST 800-53r4 controls, and Devo also complies with SOC2 type 2 requirements, SAS-70 SAE-16 controls, HIPAA HI-TECH, PCI-DSS, and GDPR as both custodian/provider.

Can we control what data our users can access?

In Devo, users access data using a Finder which contains links to virtual data table views. Domain Admin users can create custom finders that provide access only to specific tables and they can create as many custom finders as needed. These finders are then assigned as the default finder for application roles. This means that users will only be able to access data in tables that have been specifically allowed for the application role(s) they possess.

You can also control who can use your custom lookups by restricting them for use with specific tables. If no restrictions are applied to a lookup, it is available for users building queries on any tables in the domain.

Can I mask personally identifiable information data in Devo?

Yes. You can mask data in several ways before sending it to Devo at the Devo Relay or at query time when data is queried to be displayed. In the latter case, and thanks to Devo’s flexible RBAC, you can configure it such that some users view masked data while privileged users can view the full data. Because Devo always saves data in its raw, unchanged format it is possible to apply masking rules to events at query time, regardless of when they were delivered to Devo. It all comes down to your needs!

How are alerts created in Devo?

Devo comes with predefined alerts that are based on common data sources and you can enable or disable these alerts as you choose. You can browse the list here.

Of course, you can create custom alerts to serve your needs. The first step is to build the query that allows you to identify the conditions that should trigger the alert. Then, using a tool available in the search window, you create the alert by giving it a name, a message, a description, and by defining the trigger method. Once you save the alert, you associate it with a sending policy in the Administration → Alert Configuration area. A sending policy dictates how and to whom the alert message should be distributed and also sets calendar parameters that define when alert messages should be sent.

An Alert Dashboard is available to view and manage the alerts triggered most recently in your domain.

How does Devo distribute alerts?

  • There are currently several alert delivery types: Email – Send alert information to individuals or groups by email.
  • HTTP-JSON — Set up alert messages to be sent over HTTP to any system that can receive data in JSON format.
  • Service Desk and Jira — Automatically generate tickets in Service Desk Plus or Jira.
  • Pushover — Distribute alerts as mobile broadcast messages.
  • PagerDuty — Deliver alert information to a PagerDuty server.
  • Slack — Post alert information to a Slack channel.

A single alert can be distributed using one or more delivery types. All triggered alerts appear listed in the Alert Dashboard in the Devo web application.

How is the price determined?

Devo tailors its pricing to meet the needs of your business. Pricing is contingent on the volume of ingest per day averaged over a 30-day period. Devo has a tiered pricing model in which discounts are applied based on average volume of ingest per day.

How is the Devo service billed?

Devo bills on a straight-forward 12-month subscription plan that is based on the average volume of data ingested daily. All Devo SaaS subscriptions and licenses include 400 days of encrypted and compressed data storage, and an unlimited number of domain users.

Using the web application’s Home page, the domain administrator can easily monitor ingestion rates and clearly identify the data sources responsible for sending the most data to the Devo repository. This way the customer stays in complete control of the amount of data sent to Devo. Contact our sales team for more information.

Do you have a global support model?

Yes. All Devo subscriptions and licenses include 24/7/365 customer support. Learn more.

Do you offer professional services?

Yes. Devo offers a wide variety of professional services including our Quick Start implementation, application development, parser development, data migration, and any other custom services to ensure that your company is maximizing the value of the Devo Platform. Learn more about Devo professional services here.

What is the maximum amount of data I can store and ingest with Devo?

The cloud’s the limit. We don’t put a cap on the amount of data you can ingest per day, it’s dependent upon the resources available for your needs. Devo was designed to be scalable and to grow with your data needs.

Data is compressed at an average 10:1 ratio for excellent storage efficiency and is always hot for fast access. By default, data is stored in Devo for one year. If you need to retain data for longer, no problem, just contact your Devo account manager.

How can I monitor and control the total amount of data we send to Devo?

  • The Home area of the Devo web application is designed to give you an up-to-the-minute, visual summary of data ingested and recent alert activity. Tables and charts on this page give you live inbound data flow in events per second and volume per second.
  • The most recently triggered alerts.
  • The top data sources by number of events ingested.
  • Total, cumulative storage used by both volume and number of events.
  • A historical view of daily volume ingested over the last 365 days. Note: This view may display historical information that extends past your contracted data retention timeframe and is not an indicator of whether data has been deleted per your data retention policy.

Can I resell Devo?

We have a reseller program that allows value-added resellers to offer Devo service to their customers. Contact us to learn more.